App Store removes root certificate-based ad blockers over privacy concerns

While Apple has provided a mechanism to create safe, private content blocking extensions for Safari on iPhone and iPad, recently apps like Been Choice have taken it a step further, installing root certificates in order to block ads inside apps as well. The problem with that type of blocking is that it intermediates secure connections and exposes all your private internet traffic to the blocker. Essentially, it's a voluntary person-in-the-middle attack. For that reason, Apple is removing those apps from the App Store. Here's the statement Apple provided me:

"Apple is deeply committed to protecting customer privacy and security," an Apple spokesperson told iMore. "We've removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions. We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk."

How to remove root certificates from iPhone and iPad

I was surprised the root certificate-based ad blocking apps were approved to begin with. They perform deep packet inspection of everything done on the internet, including secure financial transactions and private communications, on the ad-blocker's servers and any servers involved in their chain, and in a way that's not easily toggled on or off.

There will no doubt be complaints from people who think they want these apps, and from developers who make the apps. But the potential risk of abuse is simply too high.

Again, this doesn't affect Safari content blockers like Crystal or Purify. Only those using root certificates. Some will question that choice as well. The difference is that the WebKit/Safari team spent time creating a private, secure way to block content in Safari—and the in-app Safari View Controller—that doesn't allow the blocker to do any tracking of its own. They're precompiled and at no point do they get to see what you're doing or where you're doing it.

There's not yet a similarly private, secure way to block content in apps. Unless and until that changes, allowing root-certificate-based content blockers in the App Store goes against Apple's privacy and security policies, which the company has made a major, top-down, front-facing feature of the platform.

Update: Been Choice has responded on twitter, saying they'll be updating to comply with Apple's policy:

@reneritchie We will remove ad blocking for FB, Google, Yahoo, Yahoo Fin., and Pinterest and resubmit tomorrow, to comply.@reneritchie We will remove ad blocking for FB, Google, Yahoo, Yahoo Fin., and Pinterest and resubmit tomorrow, to comply.— Been® Choice (@beenchoice) October 9, 2015 October 9, 2015

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

Latest

One more thing… Goodbye from iMore

See more latest ►

Master your iPhone in minutes

Most Popular